GoogleCloudPlatform · dhavalbhensdadiya-crest · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 22, 2026
@@ -12,14 +12,16 @@ the Secret Manager API using the Google Java API Client Libraries.
 
 ### Enable the API
 
-You must [enable the Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) for your project in order to use these samples
+You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) and [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) for your project in order to use these samples
 
 ### Set Environment Variables
 
-You must set your project ID in order to run the tests
+You must set your project ID, KMS Keys (Global and Regional) in order to run the tests
 
 ```text
 $ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>
+$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
+$ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>
 ```
 
 ### Grant Permissions
@@ -28,5 +30,6 @@ You must ensure that the [user account or service account](https://cloud.google.
 
 * Secret Manager Admin (`roles/secretmanager.admin`)
 * Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)
+* Cloud KMS Encrypter / Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the regional and global KMS key used for testing
 
 More information can be found in the [Secret Manager Docs](https://cloud.google.com/secret-manager/docs/access-control)
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_annotations]
+import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import java.io.IOException;
+
+public class CreateSecretWithCmek {
+
+  public static void main() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // This is the Full kms key name to be used for Cmek.
+    String kmsKeyName = "your-kms-key-name";
+    createSecretWithCmek(projectId, secretId, kmsKeyName);
+  }
+
+  // Create a secret with annotations.
+  public static Secret createSecretWithCmek(String projectId, String secretId, String kmsKeyName)
+      throws IOException {
+
+    // Initialize client that will be used to send requests. This client only needs
+    // to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+
+      // Build the secret name.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Build the Cmek configuration.
+      CustomerManagedEncryption customerManagedEncryption =
+          CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+
+      // Build the replication using Cmek.
+      Replication secretReplication =
+          Replication.newBuilder()
+              .setAutomatic(
+                  Replication.Automatic.newBuilder()
+                      .setCustomerManagedEncryption(customerManagedEncryption)
+                      .build())
+              .build();
+
+      // Build the secret to create with labels.
+      Secret secret = Secret.newBuilder().setReplication(secretReplication).build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s\n", createdSecret.getName());
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_annotations]
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_delete_secret_annotations]
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.SecretName;
+import com.google.protobuf.FieldMask;
+import com.google.protobuf.util.FieldMaskUtil;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class DeleteSecretAnnotations {
+
+  public static void main() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    deleteSecretAnnotations(projectId, secretId);
+  }
+
+  // Delete annotations from an existing secret.
+  public static Secret deleteSecretAnnotations(String projectId, String secretId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only needs
+    // to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the name of the secret.
+      SecretName secretName = SecretName.of(projectId, secretId);
+
+      // Get the current secret
+      Secret existingSecret = client.getSecret(secretName);
+
+      // Remove all annotations
+      Map<String, String> existingAnnotationsMap =
+          new HashMap<String, String>(existingSecret.getAnnotationsMap());
+      existingAnnotationsMap.clear();
+
+      // Build the updated secret.
+      Secret secret =
+          Secret.newBuilder()
+              .setName(secretName.toString())
+              .putAllAnnotations(existingAnnotationsMap)
+              .build();
+
+      // Create the field mask for updating only the annotations
+      FieldMask fieldMask = FieldMaskUtil.fromString("annotations");
+
+      // Update the secret.
+      Secret updatedSecret = client.updateSecret(secret, fieldMask);
+      System.out.printf("Deleted annotations from %s\n", updatedSecret.getName());
+
+      return updatedSecret;
+    }
+  }
+}
+// [END secretmanager_delete_secret_annotations]
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager.regionalsamples;
+
+// [START secretmanager_create_regional_secret_with_cmek]
+import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+import com.google.cloud.secretmanager.v1.LocationName;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
+import java.io.IOException;
+
+public class CreateRegionalSecretWithCmek {
+
+  public static void main() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // Location of the secret.
+    String locationId = "your-location-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // This is the Full kms key name to be used for Cmek.
+    String kmsKeyName = "your-kms-key-name";
+    createRegionalSecretWithCmek(projectId, locationId, secretId, kmsKeyName);
+  }
+
+  // Create a new regional secret with customer-managed encryption key.
+  public static Secret createRegionalSecretWithCmek(
+      String projectId, String locationId, String secretId, String kmsKeyName) throws IOException {
+
+    // Endpoint to call the regional secret manager server
+    String apiEndpoint = String.format("secretmanager.%s.rep.googleapis.com:443", locationId);
+    SecretManagerServiceSettings secretManagerServiceSettings =
+        SecretManagerServiceSettings.newBuilder().setEndpoint(apiEndpoint).build();
+
+    // Initialize client that will be used to send requests. This client only needs
+    // to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client =
+        SecretManagerServiceClient.create(secretManagerServiceSettings)) {
+      // Build the parent name from the project and location.
+      LocationName locationName = LocationName.of(projectId, locationId);
+
+      // Build the customer-managed encryption configuration.
+      CustomerManagedEncryption customerManagedEncryption =
+          CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+
+      // Build the secret with customer-managed encryption key.
+      Secret secret =
+          Secret.newBuilder().setCustomerManagedEncryption(customerManagedEncryption).build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(locationName.toString(), secretId, secret);
+      System.out.printf("Created secret %s\n", createdSecret.getName());
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_regional_secret_with_cmek]
@@ -0,0 +1,88 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager.regionalsamples;
+
+// [START secretmanager_delete_regional_secret_annotations]
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
+import com.google.cloud.secretmanager.v1.SecretName;
+import com.google.protobuf.FieldMask;
+import com.google.protobuf.util.FieldMaskUtil;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class DeleteRegionalSecretAnnotations {
+
+  public static void main() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // Location of the secret.
+    String locationId = "your-location-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    deleteRegionalSecretAnnotations(projectId, locationId, secretId);
+  }
+
+  // Delete annotations from an existing regional secret.
+  public static Secret deleteRegionalSecretAnnotations(
+      String projectId, String locationId, String secretId) throws IOException {
+
+    // Endpoint to call the regional secret manager server
+    String apiEndpoint = String.format("secretmanager.%s.rep.googleapis.com:443", locationId);
+    SecretManagerServiceSettings secretManagerServiceSettings =
+        SecretManagerServiceSettings.newBuilder().setEndpoint(apiEndpoint).build();
+
+    // Initialize client that will be used to send requests. This client only needs
+    // to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client =
+        SecretManagerServiceClient.create(secretManagerServiceSettings)) {
+      // Build the name of the secret.
+      SecretName secretName =
+          SecretName.ofProjectLocationSecretName(projectId, locationId, secretId);
+
+      // Get the current secret
+      Secret existingSecret = client.getSecret(secretName);
+
+      // Remove all annotations
+      Map<String, String> existingAnnotationsMap =
+          new HashMap<String, String>(existingSecret.getAnnotationsMap());
+      existingAnnotationsMap.clear();
+
+      // Build the updated secret.
+      Secret secret =
+          Secret.newBuilder()
+              .setName(secretName.toString())
+              .putAllAnnotations(existingAnnotationsMap)
+              .build();
+
+      // Create the field mask for updating only the annotations
+      FieldMask fieldMask = FieldMaskUtil.fromString("annotations");
+
+      // Update the secret.
+      Secret updatedSecret = client.updateSecret(secret, fieldMask);
+      System.out.printf("Deleted annotations from %s\n", updatedSecret.getName());
+
+      return updatedSecret;
+    }
+  }
+}
+// [END secretmanager_delete_regional_secret_annotations]